Wednesday, August 20, 2014

Playing with puppet

In last couple of days I've been playing with puppet a lot. In today's post I'll describe howto install and configure puppet using agent/master architecture. Used OS is Centos 7.

I'm going to use 2 virtual machines - puppet and puppet7. Puppet host will be puppet master and puppet7 will be client/agent. First thing to do is to add epel repository on both guests because it contains puppet packages: 

[root@puppet ~]# curl -O http://mirror.vutbr.cz/epel/beta/7/x86_64/epel-release-7-0.2.noarch.rpm
[root@puppet ~]# yum localinstall epel-release-7-0.2.noarch.rpm

I need to do the same on puppet7: 

[root@puppet7 ~]# curl -O http://mirror.vutbr.cz/epel/beta/7/x86_64/epel-release-7-0.2.noarch.rpm
[root@puppet7 ~]# yum localinstall epel-release-7-0.2.noarch.rpm

Now it's time to install puppet. I'll start with master. I'll install puppet-server package at first. 

[root@puppet ~]# yum install puppet-server

I'll keep configuration on defaults. I'll just tell master what changes to apply on puppet7 agent. This changes described in following file: 

[root@puppet ~]# cat /etc/puppet/manifests/site.pp 
    node 'puppet7.localdomain' {

        user { 'test':
            ensure => 'present',
            home => '/home/test',
            managehome => true,
            uid => 5555,
            gid => 52,
            password => '$6$RjjYOArA$DqJfCY81QtNpYvlHHxMTDIuvXtIVwznRRH3ww2HU4NWU.GJ2SgJiOOnDh8DSPsPOB.JiyRM2a9sKzaYOb5K3f0',
        }
    }

Change is quite simple. On node puppet7 create use test with given properties. I'm almost done with master. Last remaining thing is to enable and start puppetmaster service: 

[root@puppet ~]# systemctl status puppetmaster
puppetmaster.service - Puppet master
   Loaded: loaded (/usr/lib/systemd/system/puppetmaster.service; disabled)
   Active: inactive (dead)

[root@puppet ~]# systemctl enable puppetmaster
ln -s '/usr/lib/systemd/system/puppetmaster.service' 
'/etc/systemd/system/multi-user.target.wants/puppetmaster.service'
[root@puppet ~]# systemctl start puppetmaster
[root@puppet ~]# systemctl status puppetmaster
puppetmaster.service - Puppet master
   Loaded: loaded (/usr/lib/systemd/system/puppetmaster.service; enabled)
   Active: active (running) since Tue 2014-08-19 10:16:11 CEST; 5s ago
 Main PID: 19190 (start-puppet-ma)
   CGroup: /system.slice/puppetmaster.service
           ├─19190 /bin/sh /usr/bin/start-puppet-master master --no-daemonize
           └─19191 /usr/bin/ruby /usr/bin/puppet master --no-daemonize

Aug 19 10:16:11 puppet.localdomain systemd[1]: Started Puppet master.
Aug 19 10:16:14 puppet.localdomain puppet-master[19191]: Signed certificate request for ca
Aug 19 10:16:15 puppet.localdomain puppet-master[19191]: puppet.localdomain has a waiting certificate request
Aug 19 10:16:15 puppet.localdomain puppet-master[19191]: Signed certificate request for puppet.localdomain
Aug 19 10:16:15 puppet.localdomain puppet-master[19191]: Removing file Puppet::SSL::CertificateRequest puppet.localdomain at '/var/lib/puppet/ssl/ca/requests/puppet.localdomain.pem'
Aug 19 10:16:15 puppet.localdomain puppet-master[19191]: Removing file Puppet::SSL::CertificateRequest puppet.localdomain at '/var/lib/puppet/ssl/certificate_requests/puppet.localdomain.pem'
Aug 19 10:16:15 puppet.localdomain puppet-master[19191]: Starting Puppet master version 3.6.2

Master is up and running, let's look at the agent. I'll again start with package installation: 

[root@puppet7 ~]# yum install puppet

I won't configure anything. How does agent find out who is the puppet master? It will use machine with puppet hostname by default. That's my case. It should work: 

[root@puppet7 ~]# systemctl enable puppet
ln -s '/usr/lib/systemd/system/puppet.service' '/etc/systemd/system/multi-user.target.wants/puppet.service'
[root@puppet7 ~]# systemctl start puppet
[root@puppet7 ~]# systemctl status puppet
puppet.service - Puppet agent
   Loaded: loaded (/usr/lib/systemd/system/puppet.service; enabled)
   Active: active (running) since Tue 2014-08-19 13:14:55 CEST; 17s ago
 Main PID: 10294 (start-puppet-ag)
   CGroup: /system.slice/puppet.service
           ├─10294 /bin/sh /usr/bin/start-puppet-agent agent --no-daemonize
           └─10295 /usr/bin/ruby /usr/bin/puppet agent --no-daemonize

Aug 19 13:14:55 puppet7.localdomain systemd[1]: Started Puppet agent.
Aug 19 13:14:57 puppet7.localdomain puppet-agent[10295]: Could not request certificate: No route to host - connect(2)

OMG firwall is blocking communication again! I'll define puppet service for firewalld (TCP port 8140) and add the service to public zone on puppet master. How to do it is in previous post.

When firwall issue is fixed, agent will generate certificate request, send it to the master and wait for approvement. If request isn't approved for some time, agent will complain: 

[root@puppet7 certificate_requests]$ systemctl status  puppet
puppet.service - Puppet agent
   Loaded: loaded (/usr/lib/systemd/system/puppet.service; enabled)
   Active: active (running) since Wed 2014-08-20 14:07:10 CEST; 3min 5s ago
 Main PID: 3352 (start-puppet-ag)
   CGroup: /system.slice/puppet.service
           ├─3352 /bin/sh /usr/bin/start-puppet-agent agent --no-daemonize
           └─3353 /usr/bin/ruby /usr/bin/puppet agent --no-daemonize

Aug 20 14:07:10 puppet7.localdomain systemd[1]: Starting Puppet agent...
Aug 20 14:07:10 puppet7.localdomain systemd[1]: Started Puppet agent.
Aug 20 14:09:12 puppet7.localdomain puppet-agent[3353]: Did not receive certificate

On master I'll aprove (sign) certificate request: 

[root@puppet ~]# puppet cert list
  "puppet7.localdomain" (SHA256) DB:DA:F2:5E:C6:60:E8:3C:12:58:25:A5:CD:99:E8:54:9B:CB:F3:B4:06:13:32:AE:F8:51:FB:0A:57:7F:50:B6
[root@puppet ~]# puppet cert sign puppet7.localdomain
Notice: Signed certificate request for puppet7.localdomain
Notice: Removing file Puppet::SSL::CertificateRequest puppet7.localdomain at '/var/lib/puppet/ssl/ca/requests/puppet7.localdomain.pem'

Communication channel is established. After few minutes I can see in log that user has been created: 

[root@puppet7 certificate_requests]$ systemctl status  puppet
.
.
.
Aug 20 14:13:12 puppet7.localdomain puppet-agent[3353]: Did not receive certificate
Aug 20 14:15:12 puppet7.localdomain puppet-agent[3353]: Starting Puppet client version 3.6.2
Aug 20 14:15:16 puppet7.localdomain useradd[3543]: new user: name=test, UID=5555, GID=52, home=/home/test, shell=/bin/bash
Aug 20 14:15:16 puppet7.localdomain puppet-agent[3406]: (/Stage[main]/Main/Node[puppet7.localdomain]/User[test]/ensure) created
Aug 20 14:15:16 puppet7.localdomain puppet-agent[3406]: Finished catalog run in 0.24 seconds
[root@puppet7 certificate_requests]$ id test
uid=5555(test) gid=52(puppet) groups=52(puppet)

If I didn't want to wait I would run puppet apply -t on agent. This command would trigger catalog refresh.

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)